Google fixed critical zero-click RCE in Android

Pierluigi Paganini December 05, 2023

Google fixed a critical zero-click RCE vulnerability (CVE-2023-40088) with the release of the December 2023 Android security updates.

Google December 2023 Android security updates addressed 85 vulnerabilities, including a critical zero-click remote code execution (RCE) flaw tracked as CVE-2023-40088.

The vulnerability resides in Android’s System component, it doesn’t require additional privileges to be triggered. An attacker can exploit the vulnerability to execute arbitrary code on the vulnerable devices without user interaction

“The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.” reads the security advisory.

The IT giant also addressed the following critical vulnerabilities in the Framework component

CVEReferencesTypeSeverityUpdated AOSP versions
CVE-2023-40077A-298057702EoPCritical11, 12, 12L, 13, 14

in the System component:

CVEReferencesTypeSeverityUpdated AOSP versions
CVE-2023-45866A-294854926EoPCritical11, 12, 12L, 13, 14

and the following one in the Qualcomm closed-source components

CVE-2022-40507A-261468680 *CriticalClosed-source component

Android users should promptly address the vulnerabilities once the patch becomes publicly available.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

you might also like

leave a comment